Contents
Most default Linux installations use SYN cookies to protect the system against malicious attacks (such as DDOS) that flood TCP SYN packets. This feature is not compatible with stable and busy Geode clusters. Setting this value to zero disables SYN cookies.
SYN cookie is a technique used to resist IP address spoofing attacks. Instead of storing additional connections, the SYN queue entry is encoded into the sequence number sent in the SYN+ACK response.
How do I disable SYN cookies in Linux?
To disable SYN cookies permanently:
- Edit the /etc/sysctl.conf file to include the following line: net.ipv4.tcp_syncookies = 0. Setting this value to zero disables SYN cookies.
- Reload sysctl.conf : sysctl -p.
SYN cookies is a technical attack mitigation technique whereby the server replies to TCP SYN requests with crafted SYN-ACKs, without inserting a new record to its SYN Queue. Only when the client replies this crafted response a new record is added.
Despite /etc/selinux/config being set with disabled or permissive, when the servers boot, selinux is in enforcing mode again. The only way to disable SELinux is by doing echo 0 > /proc/sys/net/ipv4/tcp_syncookies every time the servers boot.
How to turn on TCP SYN cookie protection in Linux?
Use sysctl command to configure or see kernel parameters at runtime. To see the current settings for net.ipv4.tcp_syncookies kernel parameter, enter: Save and close the file. To reload the change, type: How to set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of your Linux based system.
SYN Cookies are the key element of a technique used to guard against flood attacks. The use of SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged.
The use of SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged.